Core Security researchers have found a remotely exploitable buffer overflow vulnerability which affects MikroTik RouterOS in versions older than its latest one.
The Latvian vendor MikroTik is known for producing routers used by many telco companies running RouterOS Linux-based operating systems.
The buffer overflow vulnerability is tracked as CVE-2018-7445, and it could be exploited by a remote hacker with access to the service to execute arbitrary code on the system.
“A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.” the Core Security advisory states.
“The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it.”
The security experts released a proof of concept exploit code which works with MikroTik’s x86 Cloud Hosted Router.
The first time when Core Security reported the vulnerability to MikroTik was on February 19, this year. At that time, MikroTik planned to release a fix on March 1, 2018 and asked Core to keep the details of the flaw in private.
Even if MikroTik was not able to issue a fix for the estimated deadline, Core Security would wait for the release of the new version which occurred on March 12, 2018. If installing the update was impossible, MikroTik suggested disabling SMB.
Unfortunately, just a few days ago, Kaspersky Lab reported they have registered a new sophisticated APT group that has been operating since at least 2012. After tracing the cyber group, the Kaspersky experts identified a strain of malware called Slingshot, used to compromise systems in the Middle East and Africa.
According to the researchers, the APT group exploited zero-day vulnerabilities (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.) in routers used by the Latvian network hardware provider Mikrotik to drop a spyware into the users’ machines.
The hackers compromise the router first, then replace one of its DDLs with a malicious one from the file-system, and load the library in the target’s computer memory as soon as the victim runs the Winbox Loader software, a management suite for Mikrotik routers.
After that, the DLL file runs on the victim’s computer and connects to a remote server to download the final payload – the Slingshot malware.
Currently, there is no information if the Slingshot gang has exploited the CVE-2018-7445 vulnerability to compromise routers, though, there is a proof of concept exploit available online for users who should upgrade RouterOS to version 6.41.3 to avoid security problems.